IRS' Year 2000 Efforts: Business Continuity Planning Needed for Potential Year 2000 System Failures
GGD-98-138
Published: Jun 15, 1998. Publicly Released: Jun 15, 1998.
Skip to Highlights
Highlights
GAO reviewed the Internal Revenue Service's (IRS) efforts to have its information systems function correctly when processing dates beyond December 31, 1999, focusing on: (1) IRS' progress in converting its systems according to the guidelines in GAO's year 2000 assessment guide; (2) the risks IRS faces to completing the year 2000 effort on time; and (3) risks to the continuity of IRS operations in the event of year 2000-induced system failures.
Recommendations
Recommendations for Executive Action
| Agency Affected | Recommendation | Status |
|---|---|---|
| Internal Revenue Service | The Commissioner of Internal Revenue should ensure that IRS has adequately assessed the vulnerabilities of its core business processes in the event of year 2000-induced system failures by soliciting the input of business functional area officials to identify IRS' core business processes and prioritize those processes that must continue in the event of year 2000-induced failures. |
IRS established a business contingency planning working group that includes staff from business functional units. This working group: (1) identified core business processes,(2) developed failure scenarios for those processes and mapped subprocesses to systems, (3)assigned a business impact value to the core business process, (4) developed risk assessment ratings for processes by assigning a probability of risk multiplied by its business impact rating; and (5) determined that IRS needed to develop 37 contingency plans.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should ensure that IRS has adequately assessed the vulnerabilities of its core business processes in the event of year 2000-induced system failures by mapping IRS' mission-critical systems to those core business processes. |
IRS completed its mapping of systems to core business processes.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should ensure that IRS has adequately assessed the vulnerabilities of its core business processes in the event of year 2000-induced system failures by determining the impact of information system failures on each core business process. |
IRS established a business contingency planning working group that includes staff from business functional units. This working group: (1) identified core business processes,(2) developed failure scenarios for those processes and mapped subprocesses to systems, (3)assigned a business impact value to the core business process, (4) developed risk assessment ratings for processes by assigning a probability of risk multiplied by its business impact rating; and (5) determined that IRS needed to develop 37 contingency plans.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should ensure that IRS has adequately assessed the vulnerabilities of its core business processes in the event of year 2000-induced system failures by assessing any existing business continuity and contingency plans that may have been developed for non-year 2000 reasons to determine whether these plans are applicable to year 2000-induced failures. |
According to IRS officials, they did do this assessment and found that existing plans were, for the most part, not applicable to Year 2000 failures. GAO requested a written copy of this analysis but IRS officials said that the results of their analysis were not documented.
|
| Internal Revenue Service | The Commissioner of Internal Revenue should ensure that IRS has adequately assessed the vulnerabilities of its core business processes in the event of year 2000-induced system failures by developing and testing contingency plans for core business processes if existing plans are not appropriate. |
According to IRS' September 15, 1999, Business Contingency Plan Weekly Status Report, 40 business contingency plans have been completed and all but 3 of those Plans have been tested. GAO's recent report (GAO/GGD-99-176) discusses the results of its review of two key business contingency plans and states that two plans were inconsistent and incomplete in two key areas and these weaknesses raise questions about whether these two plans provide sufficient assurance that IRS has taken all the necessary steps to reduce the impact of a potential Year 2000 failure. Moreover, the report said that the weaknesses in these two plans raise questions about the extent to which other plans may have similar weaknesses. Accordingly, IRS agreed to take steps to help ensure the completeness and consistency of all business contingency plans. On June 8, 2000, I contacted Carole Sheehy in IRS' Business Systems Requirements Office and she said IRS had completed these actions for the other plans.
|
Full Report
Office of Public Affairs
Topics
Contingency plansData integrityInformation resources managementMission critical systemsServersSoftwareSoftware verification and validationStrategic information systems planningSystem softwareSystems conversionsTax administration systemsY2K